OWIN pipeline account linking

		SecurityTokenValidated = (context) =>
                        {
                            ClaimsIdentity t = context.AuthenticationTicket.Identity;

                            t.AddClaims(new[] {
                                                            new Claim("authnContext", "UserAuthenticated"),
                                                            new Claim("RapAuthnContext", "UserAuthenticated")
                                                        });

                            if (t.Name.EndsWith("ae4iZRA_KmNnp3W_X8QVk2AUZB1EPARsrYQiX3SwSz4"))
                            {
                                var identity = new ClaimsIdentity(t.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
                                identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, "rapstaff"));
                                identity.AddClaims(t.Claims);
                                AuthenticationTicket ticket = new AuthenticationTicket(identity, context.AuthenticationTicket.Properties);
                                context.AuthenticationTicket = ticket;
                            }

                            return Task.FromResult(0);
                        }
Posted in AAD

Internet Explorer 11 adds support for HTTP Strict Transport Security standard

https://support.microsoft.com/en-us/kb/3071338

Posted in coding theory

Lecture 1: Lecture 1: Mass, Length and Time | CosmoLearning Physics

http://cosmolearning.org/video-lectures/lecture-1-mass-length-and-time-9723/

I like this guy. see last 10 lectures.

Posted in coding theory

Mint forms auth cookie using owin

The old forms authn module has a method that enabled one to mint a ticket and cookie.

In the case of the new Cookie middleware – that plays the same role as forms authn module – we have to do the following – providing a bag of claims (now)

On the login page once the user’s credentials have been validated, we can call into OWIN to authenticate the user. We don’t call the cookie middleware directly, instead we call into the “OWIN Authentication Manager”, which is an abstraction for all of the possible OWIN authentication middleware that’s being used. This call can be seen in the new templates and here’s the code if you wanted to invoke it yourself:

var claims = new List<Claim>();

claims.Add(new Claim(ClaimTypes.Name, "Brock"));

claims.Add(new Claim(ClaimTypes.Email, "brockallen@gmail.com"));

var id = new ClaimsIdentity(claims,

DefaultAuthenticationTypes.ApplicationCookie);

var ctx = Request.GetOwinContext();

var authenticationManager = ctx.Authentication;

authenticationManager.SignIn(id);

The above code creates the set of claims to represent the identity of the user and creates a ClaimsIdentity from the claims. Note the second parameter to the ClaimsIdentity constructor — this indicates the type of authentication. In the OWIN authentication middleware, this authentication type must match that of the middleware being targeted. So since this code is presumably trying to issue a cookie, then this value must be the same as the name we assigned to the cookie middleware from the ConfigureAuth initialization code from above.

Once the ClaimsIdentity is created, we then access the OwinContext which has the AuthenticationManager. We use its SignIn API passing the ClaimsIdentity. This then matches the authentication type to the corresponding authentication middleware and since we match the cookie authentication middleware, a cookie is issued that contains the claims of the ClaimsIdentity.

An additional option on the SignIn API is to pass a AuthenticationProperties object. This has an IsPersistent property that indicates if the cookie is to be persistent.

From http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

Posted in AAD

acs as IDP for AAD

$msolcred = Get-Credential -UserName admin@netmagic.onmicrosoft.com
Connect-MsolService -Credential $msolcred -ErrorAction Stop


$aActiveLogOnUri = "https://bariazuressoowin.accesscontrol.windows.net/v2/wstrust/mex"
$aFederationBrandName = "ACS based IDP"
$aIssuerUri = "https://bariazuressoowin.accesscontrol.windows.net/"
$aLogOffUri = "https://bariazuressoowin.accesscontrol.windows.net:443/v2/wsfederation"
$aMetadataExchangeUri = "https://bariazuressoowin.accesscontrol.windows.net/v2/wstrust/mex"
$aPassiveLogOnUri = "https://bariazuressoowin.accesscontrol.windows.net:443/v2/wsfederation"
$cert = "MIIDIjCCAgqgAwIBAgIQG8Y1pitN0I9Hg7Gwl63a0DANBgkqhkiG9w0BAQUFADA1MTMwMQYDVQQDEypiYXJpYXp1cmVzc29vd2luLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTUwNjI5MTgyNzM3WhcNMTYwNjI5MDAyNzM3WjA1MTMwMQYDVQQDEypiYXJpYXp1cmVzc29vd2luLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPzV7RD10okSKHFHzyMNwuBUt4bbvmxjLAKg/M3QVYe4GhX7o9qSY3ogMyUaxnvhN4z400cOaS0iQ+yZUWV3HwQLqU3an6YMfVYMDnftwICjBUD1HoxWXMUYFU88YwC1KLGO+BpPJSeHcnu7Ok2KtO1DyBU+uZbi/TzpFWTzD/izg+XLQDx7dkFWQ9A0UIauRWx+WRClPbvgpZVIcOQw5A2hQW20PlStWxwKMhJpWrL8cD61c8q2LBZgga7bJIL5Kst4WHpNrKVsjJglSOdSp+R/8bWGY6kyxuKJbRyKjH7/iXkpNayTISIIl95ROj5F3jOgS50/PZk4E9u424PoofAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUdAPniEsbJ+dJjR7QkvaUx+NgoLswDQYJKoZIhvcNAQEFBQADggEBALG5yhJ3+D7mzj8UApPKp6lMbepaDYcFcYLZuejogtYZo/I9gmIPfaeKoXUkSIqHsfxNIsR8EnyzL3pkRkrpuHmQJ4FmttnLAm2fvZYTeDyg/U4J9ncBcSzR6thZLROjOZte+jIFNfihqi5oRVI5c+XETcfoECjKWM6xvwzTfY/A51yjRWkoEW5YB9pCuvLYmV2Y2QELzZuGjqlc2DCw1yzXz8tmmf3WszZgfEyuzAgIPAL1vVt8UPREsr8TSP4VAtvHC7s5s+3kE+dTzEygAbgMC2ee0uBZUX4hyMUOkIsvPrP6BnmRgsGKk0Z/aVVTh1lndVROEepiOtGFGHuEsDU="

Set-MsolDomainAuthentication -Authentication federated  -DomainName metrolistmlsqa.com -FederationBrandName $aFederationBrandName -ActiveLogOnUri $newuri -IssuerUri $aIssuerUri -PassiveLogOnUri $aLogOffUri -LogOffUri $aLogOffUri -SigningCertificate $cert  -MetadataExchangeUri $aMetadataExchangeUri

 

at office.com we try

image

gives

image

 

when we configure the RP in ACS (to assert to AAD, the ws-federation FP), we see

image

urn:federation:MicrosoftOnline

https://login.microsoftonline.com/login.srf

 

 

if we use a classical AAD RP, https://graph.windows.net, we see

image

image

 

so we add fixed claims (in ACS claims transform), for UPN and immutableID:

 

image

rapstaff@metrolistmlsqa.com http://schemas.xmlsoap.org/claims/UPN

and

image

http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID

ZjlmOWQxNzYtZjU3NS0xOWFjLTkxOTQtYTlmMmNhZWM2ZWM0

and we ignore the original google nameid value:

image

 

Eventually, we get to logon to an AAD app (via google, via ACS!)

image

image

Posted in AAD

owin pipeline to ACS and thence to google openid connect

We create an ACS gateway:

image

Wtrealm = “https://ssoportal.rapmlsqa.com/spssohandler.aspx/bari”,
MetadataAddress = “https://bariazuressoowin.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml”,
Wreply = “https://localhost:44320/”,

 

And tie it to an new RP (an azure AD sample)

image

 

To ACS, we wish to add google as the IDP. So, in the google developer console, we add an the ACS RP to our cloud identity project:

image

 

image

Client ID

328410290065-hmthip0eq46a0kjfnmr74f7huaa9h6l8.apps.googleusercontent.com

Email address

328410290065-hmthip0eq46a0kjfnmr74f7huaa9h6l8@developer.gserviceaccount.com

Client secret

ZxfAlDen5wpisd7pkfBIWIlO

Redirect URIs

JavaScript origins

 

    Note, we also arm the google+ API

    image

     

    back on ACS, we plugin in the parameters:

    image

    image

     

    On and end to end trial, we see that the owin pipeline can totally configure itself (when ACS is using its namespace cert for signing the RP assertion)

    image

    note a gotcha. If ACS is using a different certg for the RP, then this is NOT published in the ACS metadata (and you get a keyid error in the owin pipeline, upon processing the security features of the token).

    Posted in AAD

    graph console Azure AD sample–for federated user

    To make a federated usera; change the code, adding a subroutine, called when making a user:

        public class Program     {         static void immut(IUser newUser)         {             var bytes = System.Text.Encoding.Default.GetBytes(newUser.UserPrincipalName);             var md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();              var hashbytes = md5.ComputeHash(bytes);              var result = new Guid(hashbytes);              var resultstring = result.ToString();             var resultstringbytes = System.Text.Encoding.Default.GetBytes(resultstring);             var base64 = System.Convert.ToBase64String(resultstringbytes);              newUser.ImmutableId = base64;         }  ....            #region Create a new User              IUser newUser = new User();             if (defaultDomain.Name != null)             {                 newUser.DisplayName = "Sample App Demo User (Manager)";                 newUser.UserPrincipalName = Helper.GetRandomString(10) + "@" + defaultDomain.Name;                 newUser.AccountEnabled = true;                 newUser.MailNickname = "SampleAppDemoUserManager";                 newUser.PasswordProfile = new PasswordProfile                 {                     Password = "TempP@ssw0rd!",                     ForceChangePasswordNextLogin = true                 };                 newUser.UsageLocation = "US";                 immut(newUser);                  try                 {                     activeDirectoryClient.Users.AddUserAsync(newUser).Wait();                     Console.WriteLine("\nNew User {0} was created", newUser.DisplayName);                 }                 catch (Exception e)                 {                     Console.WriteLine("\nError creating new user {0} {1}", e.Message,                         e.InnerException != null ? e.InnerException.Message : "");                 }             }     
    Posted in AAD

    Playing with windows tokens bound to AzureAD

    We see that a “windows authentication” allows one to access sql server and databases with windows identity requirements – where the windows token was created in association with azure AAD.

    image

    if one our windows 10 box, bound to azure AD’s netmagic.onmicrosoft.com tenant, we now create a windows authentication web app, what do we expect to see in the claims identity?

     

    image 

    image

    image

    image

    locally hosted, we see

    image

    image

     

    when hosted in azure we see

    image

    image

    Posted in AAD

    azureAD users and sql install

     

    image

    Posted in AAD

    azure site recovery… (vs data disk backup)

     

    image

    image

     

    turns out that windows 10 (consumer) cannot act as site recovery source. Abandon!

    Posted in coding theory

    runbook

     

    since the operations manager suite can monitor the running of runbooks, let’s create one!

    image

    Next. let’s import the runbook script:

    image

    we now edit/author the script (and test it)

    image

    image

    running the published script (as a job)

    Back at the ops manager suite, we now can monitor the jobs in this automation account:

    image

    image

    Posted in AAD

    google sample code for signon

    https://github.com/googleplus/gplus-quickstart-csharp.git

    image

    we create the clientid, etc

    image

    image

     

    could not really get the thing to compile/link correctly. So gave up.

    Posted in google

    vs 2015 RC, xamarin emulator

    Took a week to make the visual studio android emulator work.

    First, it was hard to get complete set of updates fort windows 10 preview. I ended up installing cleanly, from disk. Only then, would the arming of optional windows hyper v components actually work (from control panel, install…)

    image

    Then, I had to run visual studio as “administrator” from start menu. Otherwise, “could not remove” errors would stop launch.

     

    image

    may or may not be relevant that I created a virtual switch , too.

    Posted in coding theory

    operations management suite

    We install it on our finally hyper-v enabled enterprise version of windows 10, latest tech preview. Note how it now features organizational login!

    image

    image

    image

    we link

    image

     

    so what do we do with this “dashboard” type solution?

    image

    adding…

    image

    see https://rapmls.portal.mms.microsoft.com/#Workspace/overview/settings/details/index

     

    so we have a preview2 server already deployed in the azure VM cloud. Lets trying hooking it up to this dash board. First we logon, with a newly created administrator (not not build in admin) account, pwilliams2:

     

    image

    image

    image

    image

    image

    image

    image

    the monitoring agent may take several hours now – to populate the dashboard with malware status, logging events, and other basic perspectives.

    Meantime, we configure the (optional) backup vault (in azure, of course):

     

    image

    image

    image

    image

    image

    image

    image

     

    After several hours, we see that some data has transferred:

    image

    image

    [PCI] change control (above)

    image

    image

    [PCI] anti virus (above)

    image

    [PCI] centralization of events from log sources

    The PC Server thinks it has done a backup:

    image

    Posted in AAD

    cordova html/js app, and rapmlsqa.com IDP

    we have tried to build cordova apps with AAD Login before, without a clean build. lets try again, now we are using RC versions of everything.

    image

    image

    image

     

    on windows, after installing tools and certs, we get

     

    image

    image

    image

     

    We use the app, which is a directory service UA

    image

    image

    to build the app on android (emulator)

    image

    image

    running this, we get

     

    image

    image

    image

     

    finally we get to run the apk file we just build/deployed:

    image

    image

    image

    image

    image

    image

    Posted in AAD

    implicit grant and bearer authentication

    image

    image

    image

     

    we see how the id token received by the javascript app is used for bearer authentication, when talking then to the service endpoints of the same webapp (that projected the SPA .js code to the browser).

    image

    Posted in AAD

    openid sample with group limits

    The RC version of visual studio 2015 includes a set of samples, including those for openid connect and use of the AAD graph API, if one installs the azure quickstarts extension:

     

    image

    image

    Building the project requires little expertise:

    image

    image

    image

    we see that the AAD wizard, in visual studio, can show the web.config parameters:

    image

    to which we add directory read permissions using the wizard (that demands a client secret)

    image

    image

    image

    note how it adds code to the project and odata-related libs, not just web.config parameters

    We use the AAD applications configuration panel, next, to limit which users have access to the endpoint of the new app:

    image

    image

    we see now that if we logon as another user, we get a denied access:

    image

    image

    if we assign group billTypeB to this application

    image

    image

     

    Access to the webapp is granted to the identity rapagent, now.

    image

    Posted in AAD

    Beer holder for bikes

    Yes… A custom leather fitting for bike and larger “growler” of beer.

    Dunno if i countenance this. But its definitely special.

    Posted in coding theory

    lync/skype discovery with AAD credentials

    The office 16 preview gives us a glimpse of how the openid connect middleware in AAD has bveen grafted onto the webticket infrastructure (of old).

    image

    The basic discovery of endpoints, given a tenant-bound user name.

    next, we see a block of protocol requests designed to get access to a secondary discovery service:

    image

    note the openid-connect AAD-based authorization header, alongside the webticket header.

    image

    mex of an STS, armed with oauth-related policy for the issue (token) action

    image

    mex of a cert provisioning STS (GetAndPublish verb, vs Issue/Refresh etc)

    this is as far as we get, with rapstaff@rapmlsqa.com. With microsofts’ own IDP, based on the name admin@netmagic.onmicrosoft.com, we get a little further (but no successful login)

    image

    Posted in AAD

    Office 16 AAD login

    office apps typically failed to work well with federated AAD accounts – in earlier versions of the product suite. Lets look at office16 (preview!)

    Note that we have upgraded from the officially supported version (downloaded from office.com) to the preview, which perhaps justifies why we start out with an existing hotmail/live account – to which we now attempt to add a second (rapstaff@rapmlsqa.com)account, bound to AAD.

    image

    image

    This connects us to the account and services attached to the account:

    image

    One sees how the profile page projects the AAD record, and the organizational relationships too (rapstaff works for rapagent, for example)

    image

    Posted in coding theory

    AAD-powered access to visual studio (and online source repositories)

    image

    image

    image

    image

    image

    Posted in AAD

    android tablet emulator on windows 10

    image

    image

    be interesting to know which TPM it uses ( a simulator or pass through to the windows motherboard)

    See http://amiduos.com/support/knowledge-base/article/upgrading-duos

    having upgraded the app store to have both amazon app store and google play store, we installed the smarteragent app

    image

    this allowed us to launch the android app (on windows tablet):

    image

    Posted in windows 10

    windows 10 TPM

    we have long regarded the TPM initiative as evil, pure and simple. So lets play with it.

    Right now, when we load windows it shows a red screen. SO we booted to the UEFI setup manager and enabled the TPM chip. Back in windows we see

    image

    lets clear the TPM:

    image

    This restarts the machine, booting to UEFI having had pre-selected the option to clear the TPM. This requires hitting F12 (which doesn’t seem to work on the tablet’s peripheral keyboard)

    so we do it all again, figuring that we will use the on- screen keyboard (which works!).

    image

    So now we have a TPM, working in the latest mode (even less assured than the previous one, no doubt)

    image

    So, now we turn on bitlocker (of the C drive), and get the wonderful option to save the recovery keys in the cloud (where FBI is trawling for them)

    image

     

    on a reboot we see:

    image

    Posted in windows 10

    windows 10 preview–playing with SSO

    on installing the latest windows 10 preview on our Microsoft surface pro 3, we ignored the option in the setup wizard to use our AAD tenant. Rather, we made a local account and then, as shown below, promoted it to a Microsoft account.

    Now we wish to augment all this with the rapstaff@rapmlsqa.com AAD-based account – which happens to be 2-factor enabled.

    image

    On the settings tab we see

    image

    we learn quickly to ignore the connect option in favor of the join AAD:

    image

    image

    image

    image

    image

    we could not use our federated account (rapstaff@rapmlsqa.com), so we used an account built into the the AAD tenant.

    image

    image

    image

    second time around

    image

    we see

    image

    Posted in Azure AD

    Sanity

    Well done Alaska

    Posted in coding theory

    Scott petronis

    On nar’s odata/oauth based webapi.

    Lot of blather, at outset.

    Webapi – Standard access, for read and compare.

    Little or nno technical iinformation value. General orientation material for committee reporting.

    Little evidence of having done query execution engine engineering (though overall design looks fine).

    Posted in coding theory

    Michael wurzer at nar

    Pushes webapi for syndicating what is current syndicated using the rets protocol.

    In the world of webapi implementations that are just odata/rets converters, one sees that the odata/oauth features update the control plane of the rets process itself.

    Posted in coding theory

    Mark lesswing nar cto and node.js proxying rets to odata

    The nar prototype of a node.js server projecting an odata and oauth interface has evidently morphed…into a gateway between odata and rets (and oauth and rets login sessions).

    One thing odata does well is act as a transport (that can tunnel old fashioned dmql queries through to the old fashioned rets server).

    This will make for a very poor odata infrastructure, but it probably represents reality given the limits of what nar policed Real estate can and cannot do.

    Posted in coding theory

    Art carter – vice chair of reso

    Image | Posted on by

    Listing connect

    A re generation platform for sellers, matching agent to sellers.

    An app for sellers, free to sellers.

    Posted in coding theory